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BACKGROUND 


The Purchasing & Warehouse Operations Services department supports 89 schools, 4,060 teachers, and 
51,046 students. Their mission is to provide a selection of quality goods, services and suppliers for the 
use of APS students and staff, accomplished through purchasing principles of acceptable value at best 
price, transparency, and equal and fair competition in compliance with board policy and state/federal 
law. 

Atlanta Public Schools (APS) Purchasing 8( Warehouse Operations Services department is led by Alisa 
Morningstar, Executive Director, who reports to the Chief Financial Officer, Lisa Bracken. Department 
operations consist of procurement services and warehouse and logistics supply management. 
Procurement Services Staff includes two Senior Buyers, two Purchasing Agents, two Associate Buyers, 
and one Administrative Assistant. As of April 2019, a new Director of Procurement was hired. 

In 2016, it was discovered that the former Procurement Director had altered vendor records for his own 
company to reflect a new Tax ID number and bypassed APS policy that requires Board approval for 
purchases over $100,000. No quotes or formal solicitations were obtained for proposed services. Also, 
no contract existed between his company and APS for the services provided. In March 2017, Mrs. 
Morningstar was hired to help turn the department around and improve procurement operations. 

The Office of Internal Compliance (OIC) was engaged to identify risks and controls in the procurement 
process to determine if there are any areas of improvement needed. OIC determined if: 

• APS monitors important aspects of its programs, systems, and processes as it relates to 
segregation of duties; 

• Purchases conducted by APS are in accordance with APS' governing policy and procedures; 

• Transparency is displayed in all procurement activities; 

• Board review and approval of purchases are prior to contract execution; and 

• Proper contract execution occur prior to delivery of goods and services. 

OIC examined key processes and used professional judgement and knowledge of those processes to 
determine whether such processes are within the acceptable purchasing authority. 

AUDIT OBJECTIVE 

The objective of this audit was to determine if adequate controls are in place within the procurement 
services function, as well as provide assurance that those controls are operating efficiently and effectively. 

AUDIT SCOPE 

Requisitions and Purchase Orders initiated from September 1,2017 to January 28,2019. 

AUDIT METHODOLOGY 

OIC conducted interviews with personnel involved in administration and oversight of procurement 
processes. Also, OIC examined Lawson Financial System inputs and related documentation to identify 
any discrepancies as it relates to approvals and receipt of materials. A sample of 25 transactions were 
randomly selected for detailed testing and specific system controls and processes were selected for 
examination of related procedures. 
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EXECUTIVE SUMMARY 


The Procurement Services Audit was approved as part of the Office of Internal Compliance (OIC) FY2018* 
2019 Internal Audit Plan. 

Key processes within the Purchasing & Warehouse Operations Services department were reviewed to 
determine whether practices are in compliance with applicable policies and procedures. We believe that 
the evidence obtained provides a reasonable basis for our observations and conclusions based on our 
audit objectives. The audit examined requisition and purchase order transactions initiated between 
September 1, 2017 and January 28,2019. Our audit objective was as follows: 

• Determine if adequate controls are in place within the procurement services function, as well as 
provide assurance that those controls are operating efficiently and effectively. 

The audit was primarily focused on the following areas: (1) Segregation of duties; (2) Vendor 
registration; (3) Purchases; (4) Bidding Practices; and (5) Contract Management. Additionally, the 
detailed report contains a section for other observations and recommendations that were identified 
during the audit. The major observations are highlighted below: 

1. Periodic access reviews and analysis of segregation of duties within the procurement function 
are not being performed. As a result, controls are not in place to mitigate the risk of fraud 
financial statement misstatements, interruption to business operations, unauthorized access to 
sensitive data, and theft of intellectual data. 

2. A review process is not in place to ensure that changes made to the Vendor Master File are 
appropriate. Consequently, the district is exposed to increased fraud risk (i.e. billing schemes, 
fictitious vendors, nonaccomplice vendors). 

3. Controls are not in place to ensure completion of Vendor Registration Packets and background 
checks (i.e. U.S. government SAM website, valid notary stamp). As a result, fraud, regulatory 
compliance, and reputational risk increases. 

4. Supporting documentation for quotes and bids (formal solicitation process) such as contracts, 
website postings, administrative review, and certificates of insurance were missing. Failure to 
obtain competitive bids increases the risk of fraud by corruption activities such as bid-rigging, 
bribery, and conflicts of interest. Lack of supporting documentation for purchases gives the 
appearance that the bidding process is not fair and transparent. Lack of proper insurance 
coverage exposes the district to increased legal liability should any accidents occur. 

5. Controls are not in place to ensure adequate management of contracts. As a result, there is no 
assurance that the vendor agrees to terms, conditions, and specifications of the project. This 
may lead to the district unknowingly having an obligation to pay for unauthorized work and/or 
possible legal action. 


AUDIT CONCLUSION 

Based on audit observations, we noticed some general overarching themes in the procurement services 
function. A lack of document retention exists which would serve as evidence of adherence to policies, 
procedures, and regulatory compliance requirements. Internal controls are not sufficient to minimize 
financial risk, compliance risk, and fraud risk down to an acceptable tolerance level. 



AUDIT OBSERVATIONS AND RECOMMENDATIONS 


PERIODIC ACCESS REVIEW 
Observation HI 

During the course of our audit, it was discovered that the Information Technology Services ("ITS") 
department is not performing periodic access reviews. 

National Institute of Standards and Technology (NIST) AC-2 Account Management requires an 
organization to specify authorized users of the information system, group and role membership, and 
access authorizations (i.e., privileges) and other attributes for each account. 

While access is initially approved when an employee is hired and/or transfers departments, ITS is not 
performing a periodic (i.e. monthly or quarterly) access review with department heads to determine if 
access to that department's systems is still appropriate based on the employee's job function. 

Inappropriate or excessive access privileges could lead to unauthorized changes to business critical 
systems, access to sensitive data or intellectual property, or fraud. 

Recommendation 

We recommend the following steps for ITS management to consider in establishing a periodic access 
review program to address identified risks: 

• Develop a plan for periodic access review including how it will be administered, how often it will 
be performed, and who in the ITS department wilt be responsible for performing the review. 

• Update ITS policy and/or procedure documents to reflect the changes. 

• Communicate the new process updates to the appropriate ITS and APS department personnel. 

• Implement the Periodic Access Review and maintain evidence to support that the review was 
performed. 

Management's Response 

Access to the Lawson/Procurement system is directly tied to an employee's active directory credentials. 
This means that when employees leaves the organization (and they are terminated in the HR system), 
their access to the Lawson system is also terminated within hours (after the indicated last date). There is 
therefore no risk that a former (or departed) employee will continue to access the Lawson system. 

We acknowledge that there has to be a process to periodically cleanup access rights that may have been 
provisioned to the former employee(s) as recommended in the audit finding. 

Implementation Plan #1 

• Monthly Review/Cleanup - In January 2019, we developed processes to perform cleanup 
actions for application rights/access (see attached sample document). This process needs to be 
immediately implemented for the Lawson system. 

• Implementation Date: July 2019 

• Responsible Party: Caprice Bryant, supported byTameka Barber 

• Comments: In July 2019, we will begin a monthly review/cleanup of access rights for former 
employees to ensure that those rights are completely removed from the Lawson system. 
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• Action: Initial mass cleanup required; develop, implement and monitor process for on-going 
cleanup 

Implementation Plan #2 

• Implement role-based access to Lawson in order to address employees that transfer to new 
roles/positions. 

Phase 1 - GHR Security (implemented Summer 2018) 

Phase 2 - Lawson S3 Security (estimated November 2019) 

Phase 3 - Role-based access (FY2021) 

• Implementation Date: FY 2021 (estimated) 

• Responsible Party: Olufemi Aina, supported by Lawson Upgrade Team & IT Security 

• Comments: Role-based access to the Lawson system is something that we have been looking at 
doing. This however has a dependency on the on-going ERP upgrade project. The role-based 
access (when fully implemented) will help to address the issue of employees who transfer from 
one role into another. It will automate the de-provisioning process. 

• Action: Develop and implement role-based access dependent on HR data 

SEGREGATION OF DUTIES 
Observation #2 

An analysis of Segregation of Duties within the procurement process has not been performed. Although 
the Lawson system has capabilities to report on segregation of duties, procurement management has 
not utilized that functionality nor performed a segregation of duties analysis to determine if logical 
access for procurement personnel is appropriate. 

National Institute of Standards and Technology (NIST) AC-2 Account Management requires an 
organization to specify authorized users of the information system, group and role membership, and 
access authorizations (i.e., privileges) and other attributes for each account. 

Inadequate segregation of duties increases the risk of fraud as it could allow people the ability to create 
unauthorized transactions, make unauthorized purchases through creation of fictitious vendors, as well 
as nonaccomplice vendors. 

Recommendation 

Procurement management should consider developing and implementing the following processes and 
procedures; 

• Establish and implement standards that enforce segregation of duties; 

• Periodically review and update the standards; 

• Identify and document conflicting duties and responsibilities; 

• Enforce segregation of duties physically and logically where feasible and appropriate; and 

• Review the impact on segregation of duties and reassign responsibilities where necessary when 
job roles and responsibilities are created and/or updated. 

Management's Response 

If the IT Department is able to give Procurement access to a list of users and their permission levels within 
Lawson as described in Observation #1 above. Procurement management will develop a policy around 
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periodic review of access. The review will include review of approval levels (including hierarchies within 
Departments), recommendations to remove approvals if conflicts exists, and recommendations to purge 
the system of inactive users on an annual basis. 

Procurement management is also recommending all users with access to the Procurement portal in 
Lawson (including entering requisitions, PO receiving, and approvals) be required to take an online 
webinar on District Purchasing Poiicies and Procedures before they are given access to the new Lawson 
upgrade. This requirement would extend to new employees as they join the district, if they will have 
Procurement related duties. 

Implementation Date: This date will be tied to the Lawson upgrade date. 

Responsible Parties: Procurement Management (Carrie Roberts) 

VENDOR MANAGEMENT 
Observation 

Our review of Vendor Registration packet supporting documentation reveaied that procurement 
personnel are not always obtaining and/or maintaining required documentation. Also, there is no 
oversight or review process in place to ensure that additions, deletions, and changes to the Vendor 
Master File are appropriate. 

The APS Procurement Services Procedures Manual requires a vendor to register with the Procurement 
Services department in order to do business with the district. The vendor must complete and submit the 
following items included in the Vendor Registration Packet: 

• Vendor Registration Form 

• Affidavit 

• Request for Taxpayer Identification Number and CertiTication (Form W-9) 

• Valid notary stamp w/legible seal and date 

• All applicable E-verify Forms 

In addition, procurement personnel are required to perform an active exclusion check via the U.S. 
Government's System of Award Management (SAM) website to determine if certain vendors have been 
suspended or barred from doing business with the government. 

We noted that 17 of the 2S samples (65%) reviewed were missing one or a combination of the following: 

• Vendor registration documentation 

• Vendor Registration Packet (i.e. no documentation) 

• Evidence of SAM website check 

Failure to ensure proper vendor registration not only increases fraud and regulatory compliance risk to 
the district but also reputational risk since the district is subject to open records requests. Lack of 
internal controls around vendor setup and maintenance exposes the district to increased fraud risk (i.e. 
check theft, billing schemes) because personnel have the ability to make unauthorized changes to the 
vendor master file that are not reviewed or checked. 








Recommendation 

Purchasing management should establish a formal Vendor Management Program (which may include 
the purchase of a vendor management system) to ensure ongoing review and monitoring of the vendor 
relationship as well as policy and procedure development. Based on best practices, the key components 
to build an effective and comprehensive vendor management program includes: 

1. Program Owner . Designate someone who "owns" vendor management, including approval of 
vendors and ensuring compliance with the company's approved policies and procedures. 

2. Policies and Procedures . Develop written policies and procedures to provide a framework for 
governance of vendors. 

3. Methodology to Risk Rate Vendors . Require more diligence and effort be devoted to higher-risk 
vendors than moderate and low-risk vendors to determine the diligence and documentation 
requirements. 

4. Due Diligence and Auditing . Learn as much about a potential vendor as possible to assist with 
vendor selection. Audited to ensure compliance throughout the term of service. 

5. Required Compliance Documentation . Provide documentation to support the vendor's audit 
response to include qualifications, evidence of adequate insurance, licenses, references, 
certification of the vendor's compliance with applicable laws and regulations, etc. 

Management's Response 

Effective June 1, 2019, Procurement has added services to our current agreement with Bonfire (formal 
solicitation distribution vendor). The new module includes a Vendor Management and Performance 
system. With the inception of this new module, vendors will be required to submit vendor registration 
packets electronically and attachments will be mandatory, ensuring that registration packets are not 
accepted by the system until they are complete with all mandatory documents. Once the vendor 
registration is complete in Bonfire, Procurement staff will be able to see their registrations, and the vendor 
will then be entered Into Lawson. 

Procurement Management is currently in the process of updating Policies and Procedures to reflect the 
new Bonfire module. These new Policies and Procedures will be available on the Procurement web site, 
will be incorporated into the "How to do business with APS" seminars, and distributed to the applicable 
APS staff. 

Implementation Date: Contract Module Project began 6/2019, anticipate 6 months to complete 
Responsible Parties: Procurement Management (Carrie Roberts), Project Manager (Althea Hussey) 
PURCHASES (QUOTES; NO BID REQUIRED) 

Observation M 

The APS Procurement Services Procedure Manual requires two written quotes for purchases valued 
$2,001 to $25,000. Also, when making purchases, the requester is required to check if a district-wide 
contract was established for the goods or services. If a district-wide contract does not exist, then the 
requester obtains two written quotes via fax, e-mail, internet, or from catalogs. 



In 5 of 8 transactions (63%) that required two quotes or an executed state contract, APS contract, or 
lease agreement, supporting documentation was missing. Failure to seek competitive quotes may result 
in the district paying higher than necessary prices for goods and services. 

Recommendation 

Procurement management should consider developing and implementing controls to ensure that two 
written quotes are obtained for purchases, and that the documentation (i.e. proof) is retained and filed. 

Management's Response 

The current procedures require the end-users to keep record of all quotes received for purchases 
between $2,001.00 and $25,000.00. Under the current Lawson procedures, end users do not upload 
attachments to requisitions. Procurement management has recently discovered that the system does 
have this capability. Effective at the start of Fiscal Year 2020, end users will be required to attach two 
(2) quotes to each requisition for the amounts noted above. Procurement staff will review the quotes 
prior to approving a purchase order. The quotes will remain in the Lawson application for audit review 
as needed. 

Implementation Date; July 1,2019 

Responsible Parties: Procurement Management (Carrie Roberts) 

PURCHASES (BIDDING PRACTICES) 

Observation MS 

We reviewed documentation supporting the formal solicitation process and noted that evidence of 
required postings, documentation, and approvals were missing as follows: 

• APS website posting (4 of 25 transactions; 16%) 

• Procurement Administrative Review and/or Evaluation (23 of 25 transactions; 92%) 

• Certificate of Insurance (20 of 21 transactions; 95%) 

APS Board Policy DJEA, Purchasing Authority requires a formal solicitation process for purchases 
exceeding $25,000 to ensure competition and transparency. The APS Procurement Services Procedures 
Manual requires the posting of solicitations on the APS website and the Georgia Procurement Registry. 
Also, the manual requires vendors to submit Certificate of Insurance. 

Although 23 of the 25 transactions (92%) were not initiated under the current Executive Director, the 
lack of policy and procedure enforcement among the buyers/agents continue to be consistent. After 
formal solicitation, those same buyers/agents did not follow processes as it relates to obtaining 
Certificate of Insurance and current executed contracts. 

Failure to obtain competitive bids increases the risk of fraud by corruption activities such as bid-rigging, 
bribery, and conflicts of interest. Failure to retain supporting documentation of competitive bids gives 
the appearance that the bidding process is not fair and transparent. Failure to check for adequate 
insurance license and coverage exposes the district to increased legal liability should any accidents occur 
during the course of the project. 


8 | 





Recommendation 

Procurement management should consider establishing a plan and/or system to enforce the policy of 
retaining documentation for all bids and tracking compliance. 

Management's Response 

Under current operations for both of these services. Procurement is responsible for conducting a Request 
for Qualifications (RFQ), to include all stages of the solicitation including advertisement, evaluation, and 
board approval. The result of these solicitations is a Qualified Vendors List. Once those vendors are 
approved by the board, individual projects become the responsibility of the Facilities Department. When 
a Constructions project is identified, the Facilities Department is responsible for formally soliciting 
bids/proposals from the Qualified Contractors List. Under State of Georgia law, there is no requirement 
to formally solicit bids/proposals for architectural projects. The Facilities Department is responsible for 
contract documents, including, but not limited to, evaluations, signatures, and other contract documents 
such as Certificate of Insurance for any individual Construction or Architectural projects. 

For Construction Management and Architectural Services, the Administrative Review is conducted during 
the RFQ process; therefore, additional Administrative Review at the time an individual project is solicited 
by the Facilities Department is not necessary. Additionally, when a piggy*back contract is used (including 
State of Georgia contracts), the entity soliciting the contract is responsible for the solicitation process 
including administrative review as well as obtaining documents such as the Certificate of Insurance. 

Effective June 1, 2019, Procurement has added services to our agreement with Bonfire, to include a 
Contracts Management module. This module will allow us to attach all related documents into the system 
electronically, and thereby make tracking and compliance easier to monitor. 

The findings of the Audit Team have prompted Finance and Procurement management to explore best 
practices regarding the current procedures for soliciting Construction and Architectural projects. 
Management has identified two options at this time. Option 1 is the consolidation of the Facilities 
Contracting Services Team to fall under the responsibility of the Procurement Department, to ensure a 
centralized methodology for solicitations and record keeping. Option 2 involves the Facilities Contracting 
Services Team utilizing the Bonfire system for solicitations and contract management. Bonfire has the 
ability to advertise solicitations to a specified list of vendors instead of advertising to the public, thereby 
allowing us to utilize only the pre-qualified contracts. This option would open up the benefits listed herein 
to the Facilities Contracting Services Team. 

Implementation Date: Contract Module Project began 6/2019, anticipate 6 months to complete 

Option 1 or Option 2, implementation dates will be tied to the Option chosen 

Responsible Parties: Procurement Management (Carrie Roberts), Project Manager (Althea Hussey) 

CONTRAa MANAGEMENT 

Observation ffS 

We reviewed supporting documentation for contracts over $100,000 and noted the following: 

• An executed contract did not exist (4 of 23 transactions; 17%) 



• Evidence of board approval was missing (5 of 23 transactions; 22%) 

• Evidence of review by Legal was missing (2 of 25 transactions; 8%) 

• Services were performed before the contract was executed (5 of 25 transactions; 20%) 

The APS Board Policy DJEA, Purchasing Authority requires capital project contracts with a total annual 
value of $200,000 or greater, consultant contracts with a total annual value of $50,000 or greater, and 
all contracts with a total annual value of $100,000 or greater must be approved by the board. After 
award recommendation, a contract is drafted between the APS and the vendor for signature. APS Legal 
Department reviews to approve and/or recommend changes to the contract. 

Vendors performing work prior to the execution of a contract agreement increases the risk that the 
District is obligated to pay for unauthorized work or exposed to possible legal action for perceived 
breach of contract. 

Recommendation 

Procurement management should consider establishing a contract management system that will help 
with tracking, monitoring, and managing vendor contract services; as well as retaining all associated 
documentation and approvals. 

Management's Response 

As previously stated a Contracts Management Module was added to our current Bonfire system June 1, 
2019. Procurement is in the process of downloading all existing contracts into this system, and all future 
contracts will be added at the time of execution. The system will not only be an electronic record of the 
contract itself, but will allow Procurement to track individual documents such as COIs, E-Verify, and Board 
approval documents. The system has the capability to automatically notify Procurement staff and end 
users of contract expirations as well as send end users surveys to track vendor performance. 

Implementation Date: Contract Module Project began 6/2019, anticipate 6 months to complete 
Responsible Parties: Procurement Management (Carrie Roberts) 

PROCESS DOCUMENTATION 
Observation tt7 

We observed that the procurement department's standard operating procedures were in "Draft" 
format. In addition, processes identified during interviews with key staff were not always documented 
or executed as described in the interview. 

Lack of policy and procedure documentation, as well as communication of said policies and procedures 
to staff could lead to inconsistent practices among employees and the inability to enforce 
accountability. It could also lead to operational inefficiencies due to redundancy and/or 
miscommunication. 

Recommendation 

Procurement management should establish a system for approval, publishing (including version control), 
and communication of policy and procedure documentation. 







Management's Response 


The Standard Operating Procedures document that was reviewed by Internal Compliance has been 
reviewed and approved by Procurement Management. The "Draft" watermark has been removed and an 
effective date has been added to the footer of the document. As changes are made to this document, 
effective dates will be updated as well. 

Implementation Date: July 1,2019 

Responsible Parties: Procurement Management (Carrie Roberts) 

We want to extend our appreciation to the management and staff at the Purchasing & Warehouse 
Operation Services Department for their cooperation and courtesies extended to us during the audit. 


Connie Brown, CPA, CIA, CRMA 
Executive Director of Internal Compliance 


Senior Manager 




Petrina Bloodworth, CIA, CFE, CRMA 




